My giftload.click problem woops

**cycleex** · 2011-04-01, 02:36

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-31 20:30:21
-----------------------------
20:30:21.505 OS Version: Windows 6.0.6001 Service Pack 1
20:30:21.505 Number of processors: 4 586 0x203
20:30:21.505 ComputerName: DAVESBIGMACHINE UserName: 1
20:30:23.268 Initialize success
20:30:27.761 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
20:30:27.761 Disk 0 Vendor: WDC_WD1600AAJS-00B4A0 01.03A01 Size: 152627MB BusType: 3
20:30:27.776 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SI3114r1Port4Path0Target0Lun0
20:30:27.776 Disk 1 Vendor: SiI_____ 1100 Size: 476939MB BusType: 1
20:30:27.776 Device \Device\Ide\IdeDeviceP0T1L0-2 -> \??\IDE#DiskWDC_WD1600AAJS-00B4A0___________________01.03A01#5&2e153c89&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
20:30:29.804 Disk 0 MBR read successfully
20:30:29.804 Disk 0 MBR scan
20:30:29.804 Disk 0 TDL4@MBR code has been found
20:30:29.820 Disk 0 MBR hidden
20:30:29.820 Disk 0 MBR [TDL4] **ROOTKIT**
20:30:29.835 Disk 0 trace - called modules:
20:30:29.835 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x86216439]<<
20:30:29.851 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852a85d8]
20:30:29.851 3 CLASSPNP.SYS[881a9745] -> nt!IofCallDriver -> [0x852a8e40]
20:30:29.867 5 PCTCore.sys[8079f099] -> nt!IofCallDriver -> [0x852a4878]
20:30:29.882 7 acpi.sys[8060f6a0] -> nt!IofCallDriver -> [0x85293ba0]
20:30:29.882 \Driver\atapi[0x85c6c908] -> IRP_MJ_CREATE -> 0x86216439
20:30:29.898 Scan finished successfully

**ken545** · 2011-04-01, 02:56

Your system is infected with the TDL4 Rootkit, it didn't show up on the other scanners,

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button

Save the log as before and post in your next reply

**cycleex** · 2011-04-01, 03:05

OK here it is. I am also getting a hard disk error now which will require some tending. I think it is in my raid. Can I make the repair before a failure?
Dave
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-31 21:00:23
-----------------------------
21:00:23.476 OS Version: Windows 6.0.6001 Service Pack 1
21:00:23.476 Number of processors: 4 586 0x203
21:00:23.476 ComputerName: DAVESBIGMACHINE UserName: 1
21:00:23.757 Initialize success
21:00:25.956 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-2
21:00:25.956 Disk 0 Vendor: WDC_WD1600AAJS-00B4A0 01.03A01 Size: 152627MB BusType: 3
21:00:25.956 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SI3114r1Port4Path0Target0Lun0
21:00:25.972 Disk 1 Vendor: SiI_____ 1100 Size: 476939MB BusType: 1
21:00:28.000 Disk 0 MBR read successfully
21:00:28.000 Disk 0 MBR scan
21:00:30.012 Disk 0 scanning sectors +312578048
21:00:30.028 Disk 0 scanning C:\Windows\system32\drivers
21:00:33.398 Service scanning
21:00:36.440 Disk 0 trace - called modules:
21:00:36.455 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
21:00:36.471 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852a0030]
21:00:36.471 3 CLASSPNP.SYS[881a5745] -> nt!IofCallDriver -> [0x852a6658]
21:00:36.486 5 PCTCore.sys[8079a099] -> nt!IofCallDriver -> [0x8529b780]
21:00:36.486 7 acpi.sys[8060a6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-2[0x8529bba0]
21:00:36.502 Scan finished successfully

**ken545** · 2011-04-01, 03:29

Not sure about your raid, run Combofix, it should run with no problems now

**cycleex** · 2011-04-01, 03:50

Hi Ken.
Ran combofix just fine. Here is the log...

ComboFix 11-03-31.01 - 1 03/31/2011 21:29:56.1.4 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2046.1401 [GMT -4:00]
Running from: c:\users\1\Desktop\ComboFix.exe
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFRD143.tmp
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13\enemies-names.txt
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13\local.ini
c:\users\1\AppData\Roaming\Adobe\plugs
c:\users\1\AppData\Roaming\Adobe\shed
.
----- BITS: Possible infected sites -----
.
hxxp://download.iolo.net
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-04-01 01:39 . 2011-04-01 01:39 -------- d-----w- c:\users\1\AppData\Local\temp
2011-04-01 01:39 . 2011-04-01 01:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-30 11:22 . 2011-03-31 01:15 -------- d-----w- c:\windows\Sun
2011-03-30 03:04 . 2011-03-30 03:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-03-30 03:04 . 2011-03-30 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-30 00:34 . 2010-07-16 18:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-03-30 00:34 . 2010-07-16 18:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-03-30 00:34 . 2011-01-17 13:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-03-30 00:34 . 2010-12-16 12:38 103232 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-03-30 00:34 . 2010-12-10 20:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-03-30 00:34 . 2010-12-10 17:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-03-30 00:34 . 2010-12-16 12:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-03-30 00:34 . 2011-03-31 23:27 -------- d-----w- c:\program files\PC Tools Security
2011-03-30 00:34 . 2011-03-30 00:36 -------- d-----w- c:\program files\Common Files\PC Tools
2011-03-29 12:34 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC0945D2-7124-4CCE-943B-1E0BBBB8CA97}\mpengine.dll
2011-03-16 22:26 . 2010-02-09 02:59 56200 ----a-w- c:\windows\system32\offreg.dll
2011-03-09 14:06 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 14:06 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 14:06 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 14:06 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 14:06 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 14:06 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 20:09 . 2011-03-08 20:09 -------- d-----w- c:\program files\Auslogics
2011-03-08 03:04 . 2011-03-08 03:04 -------- d-----w- c:\users\1\AppData\Roaming\Greyfirst
2011-03-08 03:04 . 2011-03-08 03:04 -------- d-----w- c:\users\1\AppData\Local\Greyfirst
2011-03-08 03:03 . 2011-03-08 03:04 -------- d-----w- c:\program files\Celtx
2011-03-02 21:53 . 2011-03-30 16:11 -------- d-----w- c:\programdata\eMule
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-30 21:28 . 2010-11-18 21:35 848 --sha-w- c:\programdata\KGyGaAvL.sys
2011-03-15 19:24 . 2010-11-18 15:41 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-03-15 19:23 . 2010-11-18 15:41 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-03-15 19:23 . 2010-11-18 15:41 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-03-15 19:21 . 2010-11-18 15:41 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-02-02 22:11 . 2010-11-19 00:03 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50 . 2011-02-09 22:42 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-09 22:42 292352 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2008-05-21 15519744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13535776]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2011-03-15 434360]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"Conime"="c:\windows\system32\conime.exe" [2008-01-21 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 136176]
R3 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2011-03-15 724152]
R3 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2011-03-15 724152]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
R3 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2010-01-19 158248]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-12-10 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2008-12-09 20392]
S2 AMP;AMP;c:\windows\system32\DRIVERS\amp.sys [2010-01-19 127016]
S2 AMPSE;AMPSE;c:\windows\system32\DRIVERS\ampse.sys [2010-01-19 1118248]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2010-01-19 121384]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2010-01-19 117288]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-05-08 269824]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:07]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\iavlsp.dll
FF - ProfilePath - c:\users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Map This: {05f6a7ea-896b-11da-8bde-f66bad1e3f3a} - %profile%\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Screen Capture Elite: screencaptureelite@plugin - %profile%\extensions\screencaptureelite@plugin
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: printpdf: printpdf@pavlov.net - %profile%\extensions\printpdf@pavlov.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 21:39
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\VDeck\VDeck.exe -r???????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-31 21:44:13
ComboFix-quarantined-files.txt 2011-04-01 01:44
.
Pre-Run: 52,054,032,384 bytes free
Post-Run: 51,981,864,960 bytes free
.
- - End Of File - - 153D20A5F9BEB0E23D6894EB829B4D38

**ken545** · 2011-04-01, 03:55

Great, go ahead and run OTL and run a new scan ( not the fix as it may have changed ) and post the log

**cycleex** · 2011-04-01, 04:05

Here it is. Same settings as before, just a scan...

OTL logfile created on: 3/31/2011 9:53:32 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 48.47 Gb Free Space | 32.52% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 282.31 Gb Free Space | 60.73% Space Free | Partition Type: NTFS

Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
PRC - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - C:\Windows\System32\DFDWiz.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)

========== Modules (SafeList) ==========

MOD - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (ioloSystemService) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (vseqrts) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)

========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (pctEFA) -- C:\Windows\system32\drivers\pctEFA.sys (PC Tools)
DRV - (pctDS) -- C:\Windows\system32\drivers\pctDS.sys (PC Tools)
DRV - (FileDisk) -- C:\Windows\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (AMP) -- C:\Windows\System32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- C:\Windows\System32\drivers\ampse.sys (Authentium, Inc)
DRV - (ElRawDisk) -- C:\Windows\System32\drivers\ElRawDsk.sys (EldoS Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (VIAHdAudAddService) -- C:\Windows\System32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (nsiproxy) -- C:\Windows\System32\drivers\nsiproxy.sys ()
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SI3114r) -- C:\Windows\system32\DRIVERS\SI3114r.sys (Silicon Image, Inc)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C EB 20 59 84 C8 CB 01 [binary data]
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/02/18 16:17:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions
[2011/02/18 16:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2011/03/31 16:24:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions
[2010/11/18 00:14:03 | 000,000,000 | ---D | M] (Map This) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
[2010/11/21 01:04:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/08 00:10:40 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/03/29 19:19:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/12 14:20:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/11/18 00:16:51 | 000,000,000 | ---D | M] (Zoom toolbar) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
[2011/03/29 19:19:41 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\foxmarks@kei.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com-trash
[2011/01/26 13:54:53 | 000,000,000 | ---D | M] (printpdf) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\printpdf@pavlov.net
[2011/03/22 09:59:34 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\screencaptureelite@plugin
[2011/02/09 14:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/18 16:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/19 13:17:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/03/31 21:39:20 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [iolo Startup] C:\Program Files\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} https://www.select2perform.com/cabs/QOLCheck.ocx (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O24 - Desktop BackupWallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O35 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/31 21:44:25 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\temp
[2011/03/31 21:28:07 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/03/31 21:28:07 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/03/31 21:28:07 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/03/31 21:27:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/31 21:27:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/03/31 20:29:50 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 18:11:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\erunt
[2011/03/31 16:06:40 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/30 21:04:30 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Malwarebytes
[2011/03/30 21:04:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/30 21:04:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 21:04:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/30 21:04:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/30 21:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/30 20:54:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\insightdesk
[2011/03/30 20:47:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:24 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 15:55:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/30 07:22:44 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/03/29 23:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/29 20:34:56 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/03/29 20:34:56 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/03/29 20:34:55 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/03/29 20:34:55 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/03/29 20:34:52 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/03/29 20:34:52 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/03/29 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/03/29 20:34:43 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/03/16 18:26:56 | 000,056,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\offreg.dll
[2011/03/09 10:06:14 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:06:14 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:06:13 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:06:13 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2011/03/08 16:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/03/08 16:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/03/08 16:07:46 | 004,537,088 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Greyfirst
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\Greyfirst
[2011/03/07 23:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celtx
[2011/03/07 23:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Celtx
[2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule

========== Files - Modified Within 30 Days ==========

[2011/03/31 21:39:20 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/03/31 21:12:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/31 21:04:13 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/31 21:04:13 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/31 21:00:46 | 000,000,512 | ---- | M] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 21:00:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/31 20:59:58 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 20:59:58 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 20:59:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/31 20:59:45 | 2146,549,760 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/31 20:33:35 | 000,078,157 | ---- | M] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:29:56 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 19:55:07 | 000,017,744 | ---- | M] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:37:15 | 326,147,063 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/31 19:25:36 | 004,310,832 | R--- | M] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 18:09:30 | 000,513,320 | ---- | M] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 15:58:01 | 000,170,887 | ---- | M] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | M] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | M] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:29 | 000,102,988 | ---- | M] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:21:12 | 000,230,285 | ---- | M] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | M] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:47 | 000,009,946 | -HS- | M] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 21:04:25 | 000,000,938 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:53:29 | 000,009,954 | -HS- | M] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 20:47:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:25 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 20:43:36 | 000,001,356 | ---- | M] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2011/03/30 17:28:04 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2011/03/30 15:23:08 | 000,625,664 | ---- | M] () -- C:\Users\1\Desktop\dds.scr
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
[2011/03/29 20:35:15 | 001,772,938 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/03/25 18:05:16 | 000,002,121 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 15:24:20 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\IncContxMenu.dll
[2011/03/15 15:23:32 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2011/03/15 15:23:26 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2011/03/15 15:21:16 | 002,234,552 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator.dll
[2011/03/15 12:10:27 | 002,503,745 | ---- | M] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/08 16:07:49 | 004,537,088 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:10 | 000,001,670 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk

========== Files Created - No Company Name ==========

[2011/03/31 21:28:07 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/03/31 21:28:07 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/03/31 21:28:07 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/03/31 21:28:07 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/03/31 21:28:07 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/03/31 20:33:35 | 000,078,157 | ---- | C] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:30:47 | 000,000,512 | ---- | C] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 19:55:07 | 000,017,744 | ---- | C] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:25:34 | 004,310,832 | R--- | C] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 18:09:28 | 000,513,320 | ---- | C] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 16:06:07 | 326,147,063 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/31 15:58:00 | 000,170,887 | ---- | C] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | C] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | C] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:28 | 000,102,988 | ---- | C] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:38:02 | 2146,549,760 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/31 13:21:12 | 000,230,285 | ---- | C] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | C] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:25 | 000,000,938 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:43:09 | 000,009,946 | -HS- | C] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 16:33:41 | 000,009,954 | -HS- | C] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 15:23:04 | 000,625,664 | ---- | C] () -- C:\Users\1\Desktop\dds.scr
[2011/03/25 18:05:16 | 000,002,121 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 12:10:25 | 002,503,745 | ---- | C] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/07 23:04:10 | 000,001,670 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[2011/02/09 17:18:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 14:16:25 | 000,000,094 | ---- | C] () -- C:\Windows\awshkwv.ini
[2011/02/04 20:33:09 | 000,000,010 | ---- | C] () -- C:\Windows\Wininit.ini
[2010/12/17 20:24:26 | 000,009,216 | ---- | C] () -- C:\Users\1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/21 00:45:52 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/11/18 18:07:41 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2010/11/18 17:35:19 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/17 23:54:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/11/17 22:13:09 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010/11/17 22:13:01 | 000,030,434 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/11/17 22:09:26 | 000,001,356 | ---- | C] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/01/20 22:25:51 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/01/20 22:25:11 | 000,016,384 | ---- | C] () -- C:\Windows\System32\drivers\nsiproxy.sys
[2008/01/20 22:24:41 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2007/12/28 03:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2006/11/02 08:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:43 | 000,251,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== LOP Check ==========

[2011/03/30 12:15:46 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\BitTorrent
[2010/11/18 12:22:06 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Foxit Software
[2011/03/07 23:04:22 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Greyfirst
[2010/12/16 16:11:16 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\iolo
[2010/11/20 20:54:01 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\NeatImage PS
[2010/11/23 10:29:19 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\OpenOffice.org
[2011/01/26 13:42:45 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\PrimoPDF
[2011/03/01 15:19:38 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Temp
[2011/02/18 16:18:09 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Thunderbird
[2011/03/31 20:58:27 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84

< End of report >

**ken545** · 2011-04-01, 12:46

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:processes
killallprocesses

:OTL
2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84


:Services

:Reg

:Files
ipconfig /flushdns /c



:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

**cycleex** · 2011-04-01, 19:34

Sorry Ken, but I'm still getting erunt problems like before. See the attached error screenshots.

**cycleex** · 2011-04-01, 19:42

By the way, I havent said thank you for all the help your're giving so far. I appreciate it a bunch. If I can get through this and not lose all the images in my raid (HD1) I'll be real happy. I'm a photographer, so they are important to me.
Thank you.
Dave

Thread: My giftload.click problem woops

Thread Tools

Display

Posting Permissions